2017 Annual Security Roundup

The top security events of the past year make this apparent — and their repercussions make the implementation of smart protections all the more important.View the 2017 Annual Security Roundup

2018 SECURITY PREDICTIONS

Today's increasingly interconnected environments pave the way for threats that will bank on systems' weaknesses for different forms of cybercrime. How can you prepare for the year ahead?View the 2018 Security Predictions

Description:This virus attaches to all program files in the current directory (the directory where the virus has been executed). It has a destructive payload of overwriting all files in the Hard Drive C:\ with the text string, KAMIKAZE.

Details:Upon execution of this virus, it searches for the addresses of the following WIN32 Application Programming Interface (API) functions:

CloseHandle

CreateFileA

CreateFileMappingA

FindFirstFileA

FindNextFileA

FindClose

GetFileAttributesA

GetFileSize

GetLocalTime
GetTickCount

MapViewOfFile

SetEndOfFile

SetFileAttributesA

SetFilePointer

UnmapViewOfFile

VirtualAlloc

VirtualFree

On the system date, December 7, it overwrites all files in the Drive C:\ with this text string:

KAMIKAZE

Then, it searches for EXE files in the current directory. To infect, it encrypts a portion of the original codes of the infected file and overwrites these with its virus body, together with the encrypted bodies of the target file.

Since file sizes of programs infected by this virus do not increase, most of the infected program files do not function properly because some portion of the unencrypted host body has been overwritten by the virus code.

The time stamp of infected program files are modified to the time of infection.

In addition, the virus checks for the signature 0xBA in the OEM I.D. entry (offset 0x24) in the MZ header to prevent re-infection of program files.

SOLUTION

Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files infected by PE_KAZE.3228. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other email users may use HouseCall, Trend Micro's free online virus scanner.

If the virus has already triggered its payload, back up your important data immediately. The operating system will no longer reboot on its next startup as some system DLL files are overwritten by the virus.

Also, you will need to re-install the operating system again from start. Please ensure that the backup data and programs are not infected by scanning them with the latest control patch before use in the newly installed system.